A superior way to use Let's Encrypt
Date posted
19 April 2016
Reading time
7 Minutes
A superior way to use Let's Encrypt
Let's Encrypt is awesome. This is an objective fact. If you never heard about it and you are still using self-signed certificates, go check out the link. In short, Let's Encrypt allows you to get valid SSL certificates for free. Once you set it up, there's absolutely no reason to use self-signed certificates any longer.
but until recently there was a catch
In order to understand it, though, we need to lay out some basics. Let's Encrypt consists of a few key elements:- Boulder CA written in Go
- Letsencrypt client written in Python
- ACME Protocol which is used to communicate between the Letsencrypt client and the Boulder server
- Provisioning a DNS record under example.com, or
- Provisioning an HTTP resource under a well-known URI on https://example.com/
So what was the catch?
Until recently, neither Boulder server nor Letsencrypt client supported the DNS method. Therefore, you had to use the HTTP one. And the catch came with some of its limitations:- What if I want a valid SSL certificate for a service that's only ever used internally and should never be exposed to the Internet? In this scenario, the Boulder server won't be able to connect to it in order to download the challenge response. I might not even have an A DNS record for it, which is a prerequisite for the HTTP method.
- What if I want to create the certificates for all my domains in a central point, like the build server? The public DNS records point to my webservers or loadbalancers, not my build server, therefore, I'll have to install letsencrypt client on those.